G
George Valkov
Hello!
I woke up this morning, started my DSL modem (takes new IP from DHCP), and
started my PC (behind hardware firewall). I noticed a lot of in-bound
traffic filtered by the firewall.
And so, I checked the firewall log file:
http://gfc.my.contact.bg/tests/2007-V-26-firewall-log-01.txt
and noticed that a few hosts are trying to access some service - mostly
TCP:12824 that is filtered by the firewall. Being filtered means that they
cannot determine if there is a host, unless they send a PING for it.
My question is:
is the client software that stupid to repeat connection every quarter of a
second?
or is that some attack against the previous owner of that IP?
or is that some Trojan client trying to access server on previous owner of
that IP?
or why is that behaviour?
It makes no sense repeating the connection attempt that frequently, unless
trying to flood the other side. Which also does not make sense because this
IP is being assigned to clients of the ISP and not to a server, and flood
attacks are usually used to prevent access to a specific server.
My action was to reset the DSL modem again and take a new "clean" IP for the
DSL modem.
I am also going to ask my ISP to configure the modem not to respond to ICMP
packets.
Thank you for any information and shared knowledge!
George Valkov
I woke up this morning, started my DSL modem (takes new IP from DHCP), and
started my PC (behind hardware firewall). I noticed a lot of in-bound
traffic filtered by the firewall.
And so, I checked the firewall log file:
http://gfc.my.contact.bg/tests/2007-V-26-firewall-log-01.txt
and noticed that a few hosts are trying to access some service - mostly
TCP:12824 that is filtered by the firewall. Being filtered means that they
cannot determine if there is a host, unless they send a PING for it.
My question is:
is the client software that stupid to repeat connection every quarter of a
second?
or is that some attack against the previous owner of that IP?
or is that some Trojan client trying to access server on previous owner of
that IP?
or why is that behaviour?
It makes no sense repeating the connection attempt that frequently, unless
trying to flood the other side. Which also does not make sense because this
IP is being assigned to clients of the ISP and not to a server, and flood
attacks are usually used to prevent access to a specific server.
My action was to reset the DSL modem again and take a new "clean" IP for the
DSL modem.
I am also going to ask my ISP to configure the modem not to respond to ICMP
packets.
Thank you for any information and shared knowledge!
George Valkov